Bug#934342: stretch-pu: package fusiondirectory/1.0.19-1+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#934342: stretch-pu: package fusiondirectory/1.0.19-1+deb9u1
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Sat, 10 Aug 2019 03:41:21 +0200
Message-id: <[🔎] 156540128148.27443.6639640118557942232.reportbug@minobo.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 934342@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I just uploaded two fusiondirectory fixes (one bug, one no-dsa CVE) for the next stretch point release:

+  * debian/patches:
+    + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch.
+      Perform stricter check on LDAP success/failure (CVE-2019-11187).

Considered severe issue by upstream, assessment by the security team say:
no-dsa issue. In theory, the flaw that got fixed could let someone into
the FusionDirectory WebUI with a wrong password.

+  * debian/control:
+    + Add to D (fusiondirectory): php-xml. (Closes: #931959).

The installer setup requires php-xml, also valid for fusiondirectory in stretch.

Greets,
Mike

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru fusiondirectory-1.0.19/debian/changelog fusiondirectory-1.0.19/debian/changelog
--- fusiondirectory-1.0.19/debian/changelog	2017-01-22 21:54:59.000000000 +0100
+++ fusiondirectory-1.0.19/debian/changelog	2019-08-08 12:01:12.000000000 +0200
@@ -1,3 +1,13 @@
+fusiondirectory (1.0.19-1+deb9u1) stretch; urgency=medium
+
+  * debian/patches:
+    + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch.
+      Perform stricter check on LDAP success/failure (CVE-2019-11187).
+  * debian/control:
+    + Add to D (fusiondirectory): php-xml. (Closes: #931959).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Thu, 08 Aug 2019 12:01:12 +0200
+
 fusiondirectory (1.0.19-1) unstable; urgency=medium
 
   [ Benoit Mortier ]
diff -Nru fusiondirectory-1.0.19/debian/control fusiondirectory-1.0.19/debian/control
--- fusiondirectory-1.0.19/debian/control	2017-01-22 21:52:35.000000000 +0100
+++ fusiondirectory-1.0.19/debian/control	2019-08-08 12:01:12.000000000 +0200
@@ -43,6 +43,7 @@
  php-ldap,
  php-recode,
  schema2ldif,
+ php-xml,
  smarty-gettext (>= 1.1),
  smarty3,
  ${misc:Depends},
diff -Nru fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch
--- fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch	1970-01-01 01:00:00.000000000 +0100
+++ fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch	2019-08-08 12:01:12.000000000 +0200
@@ -0,0 +1,32 @@
+From f2fd17d4ddead5d3b61ddebf5fd21e043bda30be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
+Date: Mon, 29 Jul 2019 09:32:22 +0000
+Subject: [PATCH] Merge branch 'stricter-ldap-error-check' into '1.4-dev'
+
+:ambulance: fix(ldap) Use a stricter error check in ldap::success()
+
+See merge request fusiondirectory/fd!648
+
+(cherry picked from commit 29ca9876df28e45bb8f4f8960f3760c336936dfc)
+
+23936352 :ambulance: fix(ldap) Use a stricter error check in ldap::success()
+---
+ core/include/class_ldap.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/include/class_ldap.inc b/core/include/class_ldap.inc
+index e5b04c28..54090353 100644
+--- a/core/include/class_ldap.inc
++++ b/core/include/class_ldap.inc
+@@ -906,7 +906,7 @@ class LDAP
+    */
+   function success()
+   {
+-    return preg_match('/Success/i', $this->error);
++    return (trim($this->error) === 'Success');
+   }
+ 
+   /*!
+-- 
+2.21.0
+
diff -Nru fusiondirectory-1.0.19/debian/patches/series fusiondirectory-1.0.19/debian/patches/series
--- fusiondirectory-1.0.19/debian/patches/series	2016-11-26 20:01:13.000000000 +0100
+++ fusiondirectory-1.0.19/debian/patches/series	2019-08-08 12:01:12.000000000 +0200
@@ -2,3 +2,4 @@
 2001_fusiondirectory-apache.patch
 2002_fusiondirectory-headers.patch
 2003_fusiondirectory-setup.patch
+0001_CVE-2019-11187_stricter-ldap-error-check.patch

Reply to:

Follow-Ups:
- Bug#934342: fusiondirectory 1.0.19-1+deb9u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>
- Processed: fusiondirectory 1.0.19-1+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: fusiondirectory 1.0.19-1+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#934329: buster-pu: package libxslt/1.1.32-2.1~deb10u1
Next by Date: Bug#934343: buster-pu: package fusiondirectory/1.2.3-4+deb10u1
Previous by thread: Processed: libxslt 1.1.32-2.1~deb10u1 flagged for acceptance
Next by thread: Bug#934342: fusiondirectory 1.0.19-1+deb9u1 flagged for acceptance
Index(es):
- Date
- Thread